<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>2.2. Refining Access Controls</title>
<link rel="stylesheet" href="dbstyle.css" type="text/css">
<meta name="generator" content="DocBook XSL Stylesheets V1.72.0">
<link rel="start" href="index.html" title="Programmer's Reference Guide">
<link rel="up" href="zend.acl.html" title="Chapter 2. Zend_Acl">
<link rel="prev" href="zend.acl.html" title="Chapter 2. Zend_Acl">
<link rel="next" href="zend.acl.advanced.html" title="2.3. Advanced Use">
<link rel="chapter" href="introduction.html" title="Chapter 1. Introduction to Zend Framework">
<link rel="chapter" href="zend.acl.html" title="Chapter 2. Zend_Acl">
<link rel="chapter" href="zend.auth.html" title="Chapter 3. Zend_Auth">
<link rel="chapter" href="zend.cache.html" title="Chapter 4. Zend_Cache">
<link rel="chapter" href="zend.config.html" title="Chapter 5. Zend_Config">
<link rel="chapter" href="zend.console.getopt.html" title="Chapter 6. Zend_Console_Getopt">
<link rel="chapter" href="zend.controller.html" title="Chapter 7. Zend_Controller">
<link rel="chapter" href="zend.currency.html" title="Chapter 8. Zend_Currency">
<link rel="chapter" href="zend.date.html" title="Chapter 9. Zend_Date">
<link rel="chapter" href="zend.db.html" title="Chapter 10. Zend_Db">
<link rel="chapter" href="zend.debug.html" title="Chapter 11. Zend_Debug">
<link rel="chapter" href="zend.dojo.html" title="Chapter 12. Zend_Dojo">
<link rel="chapter" href="zend.dom.html" title="Chapter 13. Zend_Dom">
<link rel="chapter" href="zend.exception.html" title="Chapter 14. Zend_Exception">
<link rel="chapter" href="zend.feed.html" title="Chapter 15. Zend_Feed">
<link rel="chapter" href="zend.filter.html" title="Chapter 16. Zend_Filter">
<link rel="chapter" href="zend.form.html" title="Chapter 17. Zend_Form">
<link rel="chapter" href="zend.gdata.html" title="Chapter 18. Zend_Gdata">
<link rel="chapter" href="zend.http.html" title="Chapter 19. Zend_Http">
<link rel="chapter" href="zend.infocard.html" title="Chapter 20. Zend_InfoCard">
<link rel="chapter" href="zend.json.html" title="Chapter 21. Zend_Json">
<link rel="chapter" href="zend.layout.html" title="Chapter 22. Zend_Layout">
<link rel="chapter" href="zend.ldap.html" title="Chapter 23. Zend_Ldap">
<link rel="chapter" href="zend.loader.html" title="Chapter 24. Zend_Loader">
<link rel="chapter" href="zend.locale.html" title="Chapter 25. Zend_Locale">
<link rel="chapter" href="zend.log.html" title="Chapter 26. Zend_Log">
<link rel="chapter" href="zend.mail.html" title="Chapter 27. Zend_Mail">
<link rel="chapter" href="zend.measure.html" title="Chapter 28. Zend_Measure">
<link rel="chapter" href="zend.memory.html" title="Chapter 29. Zend_Memory">
<link rel="chapter" href="zend.mime.html" title="Chapter 30. Zend_Mime">
<link rel="chapter" href="zend.openid.html" title="Chapter 31. Zend_OpenId">
<link rel="chapter" href="zend.paginator.html" title="Chapter 32. Zend_Paginator">
<link rel="chapter" href="zend.pdf.html" title="Chapter 33. Zend_Pdf">
<link rel="chapter" href="zend.registry.html" title="Chapter 34. Zend_Registry">
<link rel="chapter" href="zend.rest.html" title="Chapter 35. Zend_Rest">
<link rel="chapter" href="zend.search.lucene.html" title="Chapter 36. Zend_Search_Lucene">
<link rel="chapter" href="zend.server.html" title="Chapter 37. Zend_Server">
<link rel="chapter" href="zend.service.html" title="Chapter 38. Zend_Service">
<link rel="chapter" href="zend.session.html" title="Chapter 39. Zend_Session">
<link rel="chapter" href="zend.soap.html" title="Chapter 40. Zend_Soap">
<link rel="chapter" href="zend.test.html" title="Chapter 41. Zend_Test">
<link rel="chapter" href="zend.text.html" title="Chapter 42. Zend_Text">
<link rel="chapter" href="zend.timesync.html" title="Chapter 43. Zend_TimeSync">
<link rel="chapter" href="zend.translate.html" title="Chapter 44. Zend_Translate">
<link rel="chapter" href="zend.uri.html" title="Chapter 45. Zend_Uri">
<link rel="chapter" href="zend.validate.html" title="Chapter 46. Zend_Validate">
<link rel="chapter" href="zend.version.html" title="Chapter 47. Zend_Version">
<link rel="chapter" href="zend.view.html" title="Chapter 48. Zend_View">
<link rel="chapter" href="zend.xmlrpc.html" title="Chapter 49. Zend_XmlRpc">
<link rel="appendix" href="requirements.html" title="Appendix A. Zend Framework Requirements">
<link rel="appendix" href="coding-standard.html" title="Appendix B. Zend Framework Coding Standard for PHP">
<link rel="appendix" href="copyrights.html" title="Appendix C. Copyright Information">
<link rel="index" href="the.index.html" title="Index">
<link rel="subsection" href="zend.acl.refining.html#zend.acl.refining.precise" title="2.2.1. Precise Access Controls">
<link rel="subsection" href="zend.acl.refining.html#zend.acl.refining.removing" title="2.2.2. Removing Access Controls">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader"><table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center">2.2. Refining Access Controls</th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="zend.acl.html">Prev</a> </td>
<th width="60%" align="center">Chapter 2. Zend_Acl</th>
<td width="20%" align="right"> <a accesskey="n" href="zend.acl.advanced.html">Next</a>
</td>
</tr>
</table></div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="zend.acl.refining"></a>2.2. Refining Access Controls</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.acl.refining.precise"></a>2.2.1. Precise Access Controls</h3></div></div></div>
<p>
        The basic ACL as defined in the <a href="zend.acl.html#zend.acl.introduction" title="2.1. Introduction">previous section</a> shows
        how various privileges may be allowed upon the entire ACL (all Resources). In practice, however, access
        controls tend to have exceptions and varying degrees of complexity. Zend_Acl allows to you accomplish
        these refinements in a straightforward and flexible manner.
        </p>
<p>
        For the example CMS, it has been determined that whilst the 'staff' group covers the needs of the
        vast majority of users, there is a need for a new 'marketing' group that requires access to the
        newsletter and latest news in the CMS. The group is fairly self-sufficient and will have the ability
        to publish and archive both newsletters and the latest news.
        </p>
<p>
        In addition, it has also been requested that the 'staff' group be allowed to view news stories but
        not to revise the latest news. Finally, it should be impossible for anyone (administrators included)
        to archive any 'announcement' news stories since they only have a lifespan of 1-2 days.
        </p>
<p>
        First we revise the Role registry to reflect these changes. We have determined that the 'marketing'
        group has the same basic permissions as 'staff', so we define 'marketing' in such a way that it
        inherits permissions from 'staff':
        </p>
<pre class="programlisting">&lt;?php
// The new marketing group inherits permissions from staff
$acl-&gt;addRole(new Zend_Acl_Role('marketing'), 'staff');
        </pre>
<p>
        Next, note that the above access controls refer to specific Resources (e.g., "newsletter", "latest news", "announcement news"). Now we add these Resources:
        </p>
<pre class="programlisting">&lt;?php
// Create Resources for the rules
require_once 'Zend/Acl/Resource.php';
$acl-&gt;add(new Zend_Acl_Resource('newsletter'));           // newsletter
$acl-&gt;add(new Zend_Acl_Resource('news'));                 // news
$acl-&gt;add(new Zend_Acl_Resource('latest'), 'news');       // latest news
$acl-&gt;add(new Zend_Acl_Resource('announcement'), 'news'); // announcement news
        </pre>
<p>
        Then it is simply a matter of defining these more specific rules on the target areas of the ACL:
        </p>
<pre class="programlisting">&lt;?php
// Marketing must be able to publish and archive newsletters and the latest news
$acl-&gt;allow('marketing', array('newsletter', 'latest'), array('publish', 'archive'));

// Staff (and marketing, by inheritance), are denied permission to revise the latest news
$acl-&gt;deny('staff', 'latest', 'revise');

// Everyone (including administrators) are denied permission to archive news announcements
$acl-&gt;deny(null, 'announcement', 'archive');
        </pre>
<p>
        We can now query the ACL with respect to the latest changes:
        </p>
<pre class="programlisting">&lt;?php
echo $acl-&gt;isAllowed('staff', 'newsletter', 'publish') ?
     "allowed" : "denied"; // denied

echo $acl-&gt;isAllowed('marketing', 'newsletter', 'publish') ?
     "allowed" : "denied"; // allowed

echo $acl-&gt;isAllowed('staff', 'latest', 'publish') ?
     "allowed" : "denied"; // denied

echo $acl-&gt;isAllowed('marketing', 'latest', 'publish') ?
     "allowed" : "denied"; // allowed

echo $acl-&gt;isAllowed('marketing', 'latest', 'archive') ?
     "allowed" : "denied"; // allowed

echo $acl-&gt;isAllowed('marketing', 'latest', 'revise') ?
     "allowed" : "denied"; // denied

echo $acl-&gt;isAllowed('editor', 'announcement', 'archive') ?
     "allowed" : "denied"; // denied

echo $acl-&gt;isAllowed('administrator', 'announcement', 'archive') ?
     "allowed" : "denied"; // denied
        </pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.acl.refining.removing"></a>2.2.2. Removing Access Controls</h3></div></div></div>
<p>
        To remove one or more access rules from the ACL, simply use the available <code class="code">removeAllow()</code>
        or <code class="code">removeDeny()</code> methods. As with <code class="code">allow()</code> and <code class="code">deny()</code>, you may
        provide a <code class="code">null</code> value to indicate application to all Roles, Resources, and/or privileges:
        </p>
<pre class="programlisting">&lt;?php
// Remove the denial of revising latest news to staff (and marketing, by inheritance)
$acl-&gt;removeDeny('staff', 'latest', 'revise');

echo $acl-&gt;isAllowed('marketing', 'latest', 'revise') ?
     "allowed" : "denied"; // allowed

// Remove the allowance of publishing and archiving newsletters to marketing
$acl-&gt;removeAllow('marketing', 'newsletter', array('publish', 'archive'));

echo $acl-&gt;isAllowed('marketing', 'newsletter', 'publish') ?
     "allowed" : "denied"; // denied

echo $acl-&gt;isAllowed('marketing', 'newsletter', 'archive') ?
     "allowed" : "denied"; // denied
        </pre>
<p>
        Privileges may be modified incrementally as indicated above, but a <code class="code">null</code> value for the
        privileges overrides such incremental changes:
        </p>
<pre class="programlisting">&lt;?php
// Allow marketing all permissions upon the latest news
$acl-&gt;allow('marketing', 'latest');

echo $acl-&gt;isAllowed('marketing', 'latest', 'publish') ?
     "allowed" : "denied"; // allowed

echo $acl-&gt;isAllowed('marketing', 'latest', 'archive') ?
     "allowed" : "denied"; // allowed

echo $acl-&gt;isAllowed('marketing', 'latest', 'anything') ?
     "allowed" : "denied"; // allowed
        </pre>
</div>
</div>
<div class="navfooter"><table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="zend.acl.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="zend.acl.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="zend.acl.advanced.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">Chapter 2. Zend_Acl </td>
<td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td>
<td width="40%" align="right" valign="top"> 2.3. Advanced Use</td>
</tr>
</table></div>
<div class="revinfo"></div>
</body>
</html>
